OK. Real question here about #privacy and I guess #opsec.
Most of us know that the use of apps to do MFA (multifactor authentication) is a useful thing to protect someone from guessing/using our passwords on sites.
Many of the password managers now include a helpful MFA feature where you can store your password AND do MFA in their app.
My question is, doesn't this defeat the purpose of MFA if they are stored in the same app/location?
@webbreacher Yes and no. If the app that you use gets compromized (hacked, stolen device, etc.) than you're screwed. If there is something like keylogger or clipboard grabber the hacker still can't get into your accounts, because TOTP code changes every 30 seconds.
@webbreacher yes, it would defeat the purpose in one scenario, the breach of the password manager. If the password ist stolen via a keylogger the account would still be safe.
I see it as a tradeoff between using MFA at all (even with a flawed apporach) or not using MFA at all.
@webbreacher In my opinion this totally depends on your threat scenario. For most people it's still more secure to store both, passwords and MFA in one app. The alternatives would either be not using MFA or "inconvenience". However, this will fit in most cases. It is, normally, way harder to get your hands on, and crack, a password safe than just brute force an account.
However, if you're a person of interest, you're likely better off to store MFA and passwords separately and different devices.
@vger I agree that using SOME MFA and password manager is better than using nothing. I was thinking of a LastPass type of scenario where an attacker could get all the things needed to log into an account.
@webbreacher
My understanding is that while it's the same app, you still need to setup the MFA device as a separate step after installing the app. So if they got access to your master password, they wouldn't have your MFA device also, that's a separate step. However if they get your MFA device, then they have both. It protects well enough from remote threats, but not from someone swiping your phone, for example.
@jonquass Understood....I should have clarified that I was really thinking about the company that houses the data becoming compromised (ala LastPass). Then the attacker could have everything they need to take over my accounts.
@webbreacher
Ah interesting. Yeah I guess so, but I'm less sure of what it means to compromise an MFA system myself. They would need an active breach to get the latest MFA token info secretly, so I guess once in they just make a way to get access when they need it. Hadn't considered this, so take my ideas with a grain of salt here :-)
Maybe worth noting I personally use separate password manager and 2FA client, but interesting to think about
@webbreacher
For me, the main point of password manager is to avoid reusing passwords and having accounts compromised due to this reuse. The non tech people arround me use variations of a single (often guessable) password everywhere. IMO, the threat model is centered around reuse, not around password stealing (at least in personal life, in corporate environment maybe it's different).
@bongoknight OK. I can understand that. In my scenario though, if the password manager is compromised, the attackers have everything they need to log into your accounts though. Right? I'm thinking about breaches like the one LastPass had and how putting all our security "eggs" in a single "basket" is probably a bad thing.
@webbreacher
Yes I agree totally. My point was more from risk assessment perspective, the likelihood to suffer from a compromise of a password manager is highly lower than the one of a simple reuse (and the technical skills needed are higher). So I think in a common threat model as the likelihood is pretty low the risk might just be considered as acceptable. Even if I think the majority of people don't perform a risk assessment when choosing a password 😂
Add comment